Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest
June 19, 2026
#Security Advisories
XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
June 19, 2026
#Security Advisories
Denial of service in symfony/ux-live-component via unbounded batch action requests
May 29, 2026
#Security Advisories
XSS in symfony/ux-live-component via attacker-controlled child component tag
May 29, 2026
#Security Advisories
Information exposure via unescaped LIKE wildcards in EntitySearchUtil
May 29, 2026
#Security Advisories
👍 1
CVE-2026-49215 CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
May 29, 2026
#Security Advisories
XSS in symfony/ux-autocomplete via unescaped AJAX response data
May 29, 2026
#Security Advisories
LiveComponentHydrator HMAC checksum lacks component and slot binding
May 29, 2026
#Security Advisories
👍 1
Format-less date LiveProps parsed with the permissive DateTime constructor
May 29, 2026
#Security Advisories
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026
#Security Advisories